TLS 1.3 failed when set the groups_list of server and client to "brainpoolP512r1:X25519" #21157

lan1120 · 2023-06-08T13:35:54Z

Issue Description：
TLS 1.3 failed when set the groups_list of server and client to "brainpoolP512r1:X25519"

Server Configuration：
OpenSSL version: 3.0
groups_list："brainpoolP512r1:X25519"
tls_version: TLSv1_3
Client Configuration：
OpenSSL version: 1.1.1n
groups_list："brainpoolP512r1:X25519"

Server error log:
0A000417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter
Client error log:
141BD06C:SSL routines:tls_parse_stoc_key_share:bad key share

Root cause:
Unsupported group are incorrectly added to key_share of HelloRetryRequest.
In Hello_Retry_Requset, selected group is brainpoolP512r1 in key_share.

t8m · 2023-06-09T06:53:16Z

Could you please try 3.0.9 version on the server? There were some fixes in regards to brainpool groups.

lan1120 · 2023-06-09T07:12:17Z

I try 3.0.9, 3.1.0 and master version on the server，all failed with same error.

If the client sends us a group in a key_share that is in our supported_groups list but is otherwise not suitable (e.g. not compatible with TLSv1.3) we reject it. We should not ask for that same group again in a subsequent HRR. Fixes openssl#21157

mattcaswell · 2023-06-09T08:43:20Z

Fix in #21163

bernd-edlinger · 2023-06-09T11:33:29Z

Hmm, somehow the 1.1.1 version is also affected.
I've tried OpenSSL_1_1_1-stable server against the 111-features as client:

$ ./openssl s_server -groups brainpoolP512r1:X25519 -trace
Using default temp DH parameters
ACCEPT
Received Record
Header:
  Version = TLS 1.0 (0x301)
  Content Type = Handshake (22)
  Length = 405
    ClientHello, Length=401
      client_version=0x303 (TLS 1.2)
      Random:
        gmt_unix_time=0x75EF92D1
        random_bytes (len=28): 7C1B6D3AABFB54A20C480F77DE47A4DB3CE3B3C3A301470C1997CAE1
      session_id (len=32): C9D601BE13D2176C6299EECBAB2495E4A8CD3A804A34A26F73AD0C6B10CF48FC
      cipher_suites (len=62)
        {0x13, 0x02} TLS_AES_256_GCM_SHA384
        {0x13, 0x03} TLS_CHACHA20_POLY1305_SHA256
        {0x13, 0x01} TLS_AES_128_GCM_SHA256
        {0xC0, 0x2C} TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        {0xC0, 0x30} TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        {0x00, 0x9F} TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
        {0xCC, 0xA9} TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
        {0xCC, 0xA8} TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
        {0xCC, 0xAA} TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
        {0xC0, 0x2B} TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        {0xC0, 0x2F} TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        {0x00, 0x9E} TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
        {0xC0, 0x24} TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
        {0xC0, 0x28} TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
        {0x00, 0x6B} TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
        {0xC0, 0x23} TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
        {0xC0, 0x27} TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
        {0x00, 0x67} TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
        {0xC0, 0x0A} TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
        {0xC0, 0x14} TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
        {0x00, 0x39} TLS_DHE_RSA_WITH_AES_256_CBC_SHA
        {0xC0, 0x09} TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
        {0xC0, 0x13} TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
        {0x00, 0x33} TLS_DHE_RSA_WITH_AES_128_CBC_SHA
        {0x00, 0x9D} TLS_RSA_WITH_AES_256_GCM_SHA384
        {0x00, 0x9C} TLS_RSA_WITH_AES_128_GCM_SHA256
        {0x00, 0x3D} TLS_RSA_WITH_AES_256_CBC_SHA256
        {0x00, 0x3C} TLS_RSA_WITH_AES_128_CBC_SHA256
        {0x00, 0x35} TLS_RSA_WITH_AES_256_CBC_SHA
        {0x00, 0x2F} TLS_RSA_WITH_AES_128_CBC_SHA
        {0x00, 0xFF} TLS_EMPTY_RENEGOTIATION_INFO_SCSV
      compression_methods (len=1)
        No Compression (0x00)
      extensions, length = 266
        extension_type=server_name(0), length=14
          0000 - 00 0c 00 00 09 6c 6f 63-61 6c 68 6f 73 74      .....localhost
        extension_type=ec_point_formats(11), length=4
          uncompressed (0)
          ansiX962_compressed_prime (1)
          ansiX962_compressed_char2 (2)
        extension_type=supported_groups(10), length=8
          UNKNOWN (33)
          brainpoolP512r1 (28)
          ecdh_x25519 (29)
        extension_type=session_ticket(35), length=0
        extension_type=encrypt_then_mac(22), length=0
        extension_type=extended_master_secret(23), length=0
        extension_type=signature_algorithms(13), length=54
          ecdsa_secp256r1_sha256 (0x0403)
          ecdsa_secp384r1_sha384 (0x0503)
          ecdsa_secp521r1_sha512 (0x0603)
          ed25519 (0x0807)
          ed448 (0x0808)
          UNKNOWN (0x081a)
          UNKNOWN (0x081b)
          UNKNOWN (0x081c)
          rsa_pss_pss_sha256 (0x0809)
          rsa_pss_pss_sha384 (0x080a)
          rsa_pss_pss_sha512 (0x080b)
          rsa_pss_rsae_sha256 (0x0804)
          rsa_pss_rsae_sha384 (0x0805)
          rsa_pss_rsae_sha512 (0x0806)
          rsa_pkcs1_sha256 (0x0401)
          rsa_pkcs1_sha384 (0x0501)
          rsa_pkcs1_sha512 (0x0601)
          ecdsa_sha224 (0x0303)
          ecdsa_sha1 (0x0203)
          rsa_pkcs1_sha224 (0x0301)
          rsa_pkcs1_sha1 (0x0201)
          dsa_sha224 (0x0302)
          dsa_sha1 (0x0202)
          dsa_sha256 (0x0402)
          dsa_sha384 (0x0502)
          dsa_sha512 (0x0602)
        extension_type=supported_versions(43), length=9
          TLS 1.3 (772)
          TLS 1.2 (771)
          TLS 1.1 (770)
          TLS 1.0 (769)
        extension_type=psk_key_exchange_modes(45), length=2
          psk_dhe_ke (1)
        extension_type=key_share(51), length=135
            NamedGroup: UNKNOWN (33)
            key_exchange:  (len=129): 04270ACC1DB3764F307E073AABAEBF237E6D2A30E3D1FB8A8E0018479F90CBF8BA91150AE0BA7E0F601CFFB99B31E5789A6384268DBFF26C2DD3A43C4C5FAA860D5B3C1E7A069383C3C03F21B527B6234E16CFCB32C757DE07F4FACD8B0DD2B85A76BD85EFA08108CCE5B5314DAE3D8A6587CDEE378B66EF67C161A31DDC1EBA29

Sent Record
Header:
  Version = TLS 1.2 (0x303)
  Content Type = Handshake (22)
  Length = 88
    ServerHello, Length=84
      server_version=0x303 (TLS 1.2)
      Random:
        gmt_unix_time=0xCF21AD74
        random_bytes (len=28): E59A6111BE1D8C021E65B891C2A211167ABB8C5E079E09E2C8A8339C
      session_id (len=32): C9D601BE13D2176C6299EECBAB2495E4A8CD3A804A34A26F73AD0C6B10CF48FC
      cipher_suite {0x13, 0x02} TLS_AES_256_GCM_SHA384
      compression_method: No Compression (0x00)
      extensions, length = 12
        extension_type=supported_versions(43), length=2
            TLS 1.3 (772)
        extension_type=key_share(51), length=2
            NamedGroup: brainpoolP512r1 (28)

Sent Record
Header:
  Version = TLS 1.2 (0x303)
  Content Type = ChangeCipherSpec (20)
  Length = 1
    change_cipher_spec (1)

Received Record
Header:
  Version = TLS 1.2 (0x303)
  Content Type = Alert (21)
  Length = 2
    Level=fatal(2), description=illegal parameter(47)

ERROR
139629946738496:error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter:ssl/record/rec_layer_s3.c:1562:SSL alert number 47
shutting down SSL
CONNECTION CLOSED

vs. the client I've built from my features branch: https://github.com/bernd-edlinger/openssl/tree/openssl-111-features

$ ./openssl s_client -groups brainpoolP512r1:X25519 
CONNECTED(00000003)
140549456881472:error:141BD06C:SSL routines:tls_parse_stoc_key_share:bad key share:ssl/statem/extensions_clnt.c:1971:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 93 bytes and written 417 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

As you can see the the client tries to negotiate tls1.2 or tls1.3
using both flavours of brainpoolP512r1 and X25519 and then
the 1.1.1 server tries to negotiate tls1.3 with the tls1.2 group
which is denied by the client

bernd-edlinger · 2023-06-09T11:52:14Z

also completely weird what happens if I use 1.1.1 as client and server:

$ ./openssl s_server -groups brainpoolP512r1:X25519 -trace
Using default temp DH parameters
ACCEPT
Received Record
Header:
  Version = TLS 1.0 (0x301)
  Content Type = Handshake (22)
  Length = 397
    ClientHello, Length=393
      client_version=0x303 (TLS 1.2)
      Random:
        gmt_unix_time=0xDAB7A9DA
        random_bytes (len=28): B3A1851F5D957625E15F50815122CEAA8558A5717B5B0FB915BDEBFA
      session_id (len=32): B227272E2418DA572476BEE7D4142C8F885CDF9D56C4D7CCAA6810763B9AFBCF
      cipher_suites (len=62)
        {0x13, 0x02} TLS_AES_256_GCM_SHA384
        {0x13, 0x03} TLS_CHACHA20_POLY1305_SHA256
        {0x13, 0x01} TLS_AES_128_GCM_SHA256
        {0xC0, 0x2C} TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        {0xC0, 0x30} TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        {0x00, 0x9F} TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
        {0xCC, 0xA9} TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
        {0xCC, 0xA8} TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
        {0xCC, 0xAA} TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
        {0xC0, 0x2B} TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        {0xC0, 0x2F} TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        {0x00, 0x9E} TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
        {0xC0, 0x24} TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
        {0xC0, 0x28} TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
        {0x00, 0x6B} TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
        {0xC0, 0x23} TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
        {0xC0, 0x27} TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
        {0x00, 0x67} TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
        {0xC0, 0x0A} TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
        {0xC0, 0x14} TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
        {0x00, 0x39} TLS_DHE_RSA_WITH_AES_256_CBC_SHA
        {0xC0, 0x09} TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
        {0xC0, 0x13} TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
        {0x00, 0x33} TLS_DHE_RSA_WITH_AES_128_CBC_SHA
        {0x00, 0x9D} TLS_RSA_WITH_AES_256_GCM_SHA384
        {0x00, 0x9C} TLS_RSA_WITH_AES_128_GCM_SHA256
        {0x00, 0x3D} TLS_RSA_WITH_AES_256_CBC_SHA256
        {0x00, 0x3C} TLS_RSA_WITH_AES_128_CBC_SHA256
        {0x00, 0x35} TLS_RSA_WITH_AES_256_CBC_SHA
        {0x00, 0x2F} TLS_RSA_WITH_AES_128_CBC_SHA
        {0x00, 0xFF} TLS_EMPTY_RENEGOTIATION_INFO_SCSV
      compression_methods (len=1)
        No Compression (0x00)
      extensions, length = 258
        extension_type=server_name(0), length=14
          0000 - 00 0c 00 00 09 6c 6f 63-61 6c 68 6f 73 74      .....localhost
        extension_type=ec_point_formats(11), length=4
          uncompressed (0)
          ansiX962_compressed_prime (1)
          ansiX962_compressed_char2 (2)
        extension_type=supported_groups(10), length=6
          brainpoolP512r1 (28)
          ecdh_x25519 (29)
        extension_type=session_ticket(35), length=0
        extension_type=encrypt_then_mac(22), length=0
        extension_type=extended_master_secret(23), length=0
        extension_type=signature_algorithms(13), length=48
          ecdsa_secp256r1_sha256 (0x0403)
          ecdsa_secp384r1_sha384 (0x0503)
          ecdsa_secp521r1_sha512 (0x0603)
          ed25519 (0x0807)
          ed448 (0x0808)
          rsa_pss_pss_sha256 (0x0809)
          rsa_pss_pss_sha384 (0x080a)
          rsa_pss_pss_sha512 (0x080b)
          rsa_pss_rsae_sha256 (0x0804)
          rsa_pss_rsae_sha384 (0x0805)
          rsa_pss_rsae_sha512 (0x0806)
          rsa_pkcs1_sha256 (0x0401)
          rsa_pkcs1_sha384 (0x0501)
          rsa_pkcs1_sha512 (0x0601)
          ecdsa_sha224 (0x0303)
          ecdsa_sha1 (0x0203)
          rsa_pkcs1_sha224 (0x0301)
          rsa_pkcs1_sha1 (0x0201)
          dsa_sha224 (0x0302)
          dsa_sha1 (0x0202)
          dsa_sha256 (0x0402)
          dsa_sha384 (0x0502)
          dsa_sha512 (0x0602)
        extension_type=supported_versions(43), length=9
          TLS 1.3 (772)
          TLS 1.2 (771)
          TLS 1.1 (770)
          TLS 1.0 (769)
        extension_type=psk_key_exchange_modes(45), length=2
          psk_dhe_ke (1)
        extension_type=key_share(51), length=135
            NamedGroup: brainpoolP512r1 (28)
            key_exchange:  (len=129): 044F4D6AD9ACEFEED8FECA90433F924CD45717A95084B487B40C4DD0C8D114671860B94BC48F011608E782D457935935DC159C311C5E9037233C2565BF2ED00A4A6CE908760A44CBA618E546E47FB7B8C7973BE815EEAD61A61AF366B1325B4D728500ADF608F6E5AE118D522E370F7D3242CE737B55C2CA571136EDE843DBDA71

Sent Record
Header:
  Version = TLS 1.2 (0x303)
  Content Type = Handshake (22)
  Length = 219
    ServerHello, Length=215
      server_version=0x303 (TLS 1.2)
      Random:
        gmt_unix_time=0x4A5836DD
        random_bytes (len=28): 519F16AEF78D7CF377A2DA9E5C567F1C0E022E1CE3F58118112D90D9
      session_id (len=32): B227272E2418DA572476BEE7D4142C8F885CDF9D56C4D7CCAA6810763B9AFBCF
      cipher_suite {0x13, 0x02} TLS_AES_256_GCM_SHA384
      compression_method: No Compression (0x00)
      extensions, length = 143
        extension_type=supported_versions(43), length=2
            TLS 1.3 (772)
        extension_type=key_share(51), length=133
            NamedGroup: brainpoolP512r1 (28)
            key_exchange:  (len=129): 0451A1A98C919A8DF27DFF6AD3496CAA12ADB49FDD942E6F0DB017D861A2F608CAB9E108D462B7CF5F8AB8D8CF46C1FA4E2A9B012E38A30656D607801DB38278E997189E799AEAACEA2284D47C9B385A0ACD49722DFACD71AA31AB2511382FAA1ED7C9A16E0504E506646F84DB65168623C598725A9653CBBA6DE4A5F6979391B3

Sent Record
Header:
  Version = TLS 1.2 (0x303)
  Content Type = ChangeCipherSpec (20)
  Length = 1
    change_cipher_spec (1)

Sent Record
Header:
  Version = TLS 1.2 (0x303)
  Content Type = ApplicationData (23)
  Length = 23
  Inner Content Type = Handshake (22)
    EncryptedExtensions, Length=2
      No extensions

Sent Record
Header:
  Version = TLS 1.2 (0x303)
  Content Type = ApplicationData (23)
  Length = 839
  Inner Content Type = Handshake (22)
    Certificate, Length=818
      context (len=0): 
      certificate_list, length=814
        ASN.1Cert, length=809
------details-----
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = Root CA
        Validity
            Not Before: Jan 14 22:29:46 2016 GMT
            Not After : Jan 15 22:29:46 2116 GMT
        Subject: CN = server.example
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:d5:5d:60:6a:df:fc:61:ee:48:aa:8c:11:48:43:
                    a5:6d:b6:52:5d:aa:98:49:b1:61:92:35:b1:fc:3a:
                    04:25:0c:6d:79:ff:b4:d5:c9:e9:5c:1c:3b:e0:ab:
                    b3:b8:7d:a3:de:6d:bd:e0:dd:d7:5a:bf:14:47:11:
                    42:5e:a6:82:d0:61:c1:7f:dd:13:46:e6:09:85:07:
                    0e:f2:d4:fc:1a:64:d2:0a:ad:20:ab:20:6b:96:f0:
                    ad:cc:c4:19:53:55:dc:01:1d:a4:b3:ef:8a:b4:49:
                    53:5d:8a:05:1c:f1:dc:e1:44:bf:c5:d7:e2:77:19:
                    57:5c:97:0b:75:ee:88:43:71:0f:ca:6c:c1:b4:b2:
                    50:a7:77:46:6c:58:0f:11:bf:f1:76:24:5a:ae:39:
                    42:b7:51:67:29:e1:d0:55:30:6f:17:e4:91:ea:ad:
                    f8:28:c2:43:6f:a2:64:a9:fb:9d:98:92:62:48:3e:
                    eb:0d:4f:82:4a:8a:ff:3f:72:ee:96:b5:ae:a1:c1:
                    98:ba:ef:7d:90:75:6d:ff:5a:52:9e:ab:f5:c0:7e:
                    d0:87:43:db:85:07:07:0f:7d:38:7a:fd:d1:d3:ee:
                    65:1d:d3:ea:39:6a:87:37:ee:4a:d3:e0:0d:6e:f5:
                    70:ac:c2:bd:f1:6e:f3:92:95:5e:a9:f0:a1:65:95:
                    93:8d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                C0:E7:84:BF:E8:59:27:33:10:B0:52:4F:51:52:2F:06:D6:C0:7A:CD
            X509v3 Authority Key Identifier: 
                keyid:70:7F:2E:AE:83:68:59:98:04:23:2A:CD:EB:3E:17:CD:24:DD:01:49

            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Subject Alternative Name: 
                DNS:server.example
    Signature Algorithm: sha256WithRSAEncryption
         7b:d3:04:43:75:8a:0f:11:ae:c4:fb:d7:a1:a2:9e:fe:20:18:
         d5:f4:2f:31:88:46:b6:75:8c:ee:e5:9b:97:a6:b9:a3:cd:60:
         9a:46:c3:48:97:e5:97:68:f7:5a:86:35:73:d9:69:9e:f9:5f:
         74:b9:e6:94:13:01:cb:6a:dc:e3:c4:04:e9:65:da:9c:a4:8b:
         28:f3:f9:9a:7f:bf:97:1f:45:92:e5:05:b1:56:e6:0b:f6:47:
         de:1e:89:b6:2b:e1:4d:df:4a:7e:01:d3:23:dc:97:8c:47:fe:
         5f:c7:cc:98:46:0e:c4:83:5b:ca:8a:f1:52:09:be:6b:ec:3f:
         09:8b:d0:93:02:bf:e1:51:e7:d1:7e:34:56:19:74:d0:ff:28:
         25:de:b7:9f:56:52:91:7d:20:29:85:0a:80:44:5f:71:32:25:
         71:0f:c2:16:e2:5f:6b:1d:3f:32:5b:0a:3c:74:1c:b9:62:f1:
         ed:07:50:a3:6d:b4:b4:31:0a:c0:53:44:6a:3a:88:84:8b:2d:
         a9:b0:37:8e:e6:18:36:bd:9a:20:40:0f:01:92:8b:3d:aa:61:
         e7:ae:2c:ed:36:cd:3a:07:86:74:3a:29:b3:d7:3a:b4:00:a9:
         c2:f5:92:78:0e:e2:0f:a3:fe:bb:be:e0:06:53:84:59:1d:90:
         69:e5:b6:f9
-----BEGIN CERTIFICATE-----
MIIDJTCCAg2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
IENBMCAXDTE2MDExNDIyMjk0NloYDzIxMTYwMTE1MjIyOTQ2WjAZMRcwFQYDVQQD
DA5zZXJ2ZXIuZXhhbXBsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
ANVdYGrf/GHuSKqMEUhDpW22Ul2qmEmxYZI1sfw6BCUMbXn/tNXJ6VwcO+Crs7h9
o95tveDd11q/FEcRQl6mgtBhwX/dE0bmCYUHDvLU/Bpk0gqtIKsga5bwrczEGVNV
3AEdpLPvirRJU12KBRzx3OFEv8XX4ncZV1yXC3XuiENxD8pswbSyUKd3RmxYDxG/
8XYkWq45QrdRZynh0FUwbxfkkeqt+CjCQ2+iZKn7nZiSYkg+6w1PgkqK/z9y7pa1
rqHBmLrvfZB1bf9aUp6r9cB+0IdD24UHBw99OHr90dPuZR3T6jlqhzfuStPgDW71
cKzCvfFu85KVXqnwoWWVk40CAwEAAaN9MHswHQYDVR0OBBYEFMDnhL/oWSczELBS
T1FSLwbWwHrNMB8GA1UdIwQYMBaAFHB/Lq6DaFmYBCMqzes+F80k3QFJMAkGA1Ud
EwQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4
YW1wbGUwDQYJKoZIhvcNAQELBQADggEBAHvTBEN1ig8RrsT716Ginv4gGNX0LzGI
RrZ1jO7lm5emuaPNYJpGw0iX5Zdo91qGNXPZaZ75X3S55pQTActq3OPEBOll2pyk
iyjz+Zp/v5cfRZLlBbFW5gv2R94eibYr4U3fSn4B0yPcl4xH/l/HzJhGDsSDW8qK
8VIJvmvsPwmL0JMCv+FR59F+NFYZdND/KCXet59WUpF9ICmFCoBEX3EyJXEPwhbi
X2sdPzJbCjx0HLli8e0HUKNttLQxCsBTRGo6iISLLamwN47mGDa9miBADwGSiz2q
YeeuLO02zToHhnQ6KbPXOrQAqcL1kngO4g+j/ru+4AZThFkdkGnltvk=
-----END CERTIFICATE-----
------------------
        No extensions

Sent Record
Header:
  Version = TLS 1.2 (0x303)
  Content Type = ApplicationData (23)
  Length = 281
  Inner Content Type = Handshake (22)
    CertificateVerify, Length=260
      Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
      Signature (len=256): 0A843BFD620A663D6344EFFE895CFBCA58A08C08F899BF417E777FAC7153469DA06D411570FE1D82FA4DD33CE3613726F5250320141A25B2B1AB252D8DF6CD4673E11217DD625434DD0835D79BB5B3D0B86EE6B52CF4B0B789D680C957B594FDE24FEE906D4A98C3D662EEB2BBE89A4730415DEFA23B3B1DA6F6DA63D73D3961DF4A1F65C3813AF1601F4C463439CDB1EF70F794EE8B9E733969C333A26D9D9688E6C1F93907D6C14B52936D658BFAC44CC7C9935E36193CB587BF1F0218579858903C955169D13BC92A2E07B2BF7E1EAEA80C4904716CB8C76EBC23C5EC8BCFCD9488DFB3A59F72FBDE344C383FB284B9A5643A0CCE426C287D98562F41646D

Sent Record
Header:
  Version = TLS 1.2 (0x303)
  Content Type = ApplicationData (23)
  Length = 69
  Inner Content Type = Handshake (22)
    Finished, Length=48
      verify_data (len=48): 2FBF7290E605926A60966CEE1F25F96D117DDD38DF8C18DEC48D98109FDC5099EACCE85DDD0CEBC689EB3DD336607BD2

Received Record
Header:
  Version = TLS 1.2 (0x303)
  Content Type = ChangeCipherSpec (20)
  Length = 1
Received Record
Header:
  Version = TLS 1.2 (0x303)
  Content Type = ApplicationData (23)
  Length = 69
  Inner Content Type = Handshake (22)
    Finished, Length=48
      verify_data (len=48): 7F7E8B92115761B1026FE18BB8A8ACCA2E9C25441E7E4759954F630F1BF72D9AC58E82F53BC5A89304B4FC7EC5D35F0A

Sent Record
Header:
  Version = TLS 1.2 (0x303)
  Content Type = ApplicationData (23)
  Length = 250
  Inner Content Type = Handshake (22)
    NewSessionTicket, Length=229
        ticket_lifetime_hint=7200
        ticket_age_add=2408968492
        ticket_nonce (len=8): 0000000000000000
        ticket (len=208): CF45533EA33E1CD5A4FEBE7000E927CBAE2EE9DE58B49873100281BCC86F9C044D6BADD1D80CF6E0974194590862F61B30D5B6237AD80A50A2BEA7EC487B8E42B7C4BA5F1A9FC9C56AA44CCB83312587D1A86CA84F97C75723F3F708A7A64E0AFFC1ED7298FA7830CEDFF8D7FAA474BC83E07B1AC1D3EB5A30F6F49C1EBFAA258C4B15EEE4C9C170801FA3BD18438DEB068C207BF4D628B82A572A55936F4E4C2953FB934615A6A76CD1C693AAC32B450AF674F332E04DA43ED33A0FA80A4CD83C583FA92036C7D4B81410B32CBA076C
        No extensions

Sent Record
Header:
  Version = TLS 1.2 (0x303)
  Content Type = ApplicationData (23)
  Length = 234
  Inner Content Type = Handshake (22)
    NewSessionTicket, Length=213
        ticket_lifetime_hint=7200
        ticket_age_add=1590793488
        ticket_nonce (len=8): 0000000000000001
        ticket (len=192): CF45533EA33E1CD5A4FEBE7000E927CB07A56D37381FE2D2FDB1F6E9DD83ED9718D92FE9C22C5E5136A9ACF9E007C22C364E206F831F52285F4497C2209E018D2F260F5FB9B8DBED875CFF74DA8B43E21FB78A4EC0742DD7A65F36F5C02F2D24A5133358B18F0C44143D45600BF866C64A727BEB6F24D27931652BE6F170C9BF4566C128F4A4BD66E8D6E78553D78C1272AFE5053F09D9F98EFA0A42EC4A9D97E1F522D99B3886C35D5F08A23CE342027D34B58B3D0A00049BF479B04393B0EF
        No extensions

-----BEGIN SSL SESSION PARAMETERS-----
MH0CAQECAgMEBAITAgQgP5Sj6WO2kApApFRQ8vXnlO/zy6AkS2WIwmBOFWMkeCoE
MHnIf0fRRfexqd8J/IEM+5u9qN5eTCYxWaCPg+BK//d8YqXWAtC//8dKTwoZjRzK
RKEGAgRkgxE5ogQCAhwgpAYEBAEAAACuBgIEXtGVEA==
-----END SSL SESSION PARAMETERS-----
Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1:DSA+SHA224:DSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1
Supported Elliptic Groups: brainpoolP512r1:X25519
Shared Elliptic groups: brainpoolP512r1:X25519
CIPHER is TLS_AES_256_GCM_SHA384
Secure Renegotiation IS supported

again, the server sends the invalid HRR:

Sent Record
Header:
  Version = TLS 1.2 (0x303)
  Content Type = Handshake (22)
  Length = 219
    ServerHello, Length=215
      server_version=0x303 (TLS 1.2)
      Random:
        gmt_unix_time=0x4A5836DD
        random_bytes (len=28): 519F16AEF78D7CF377A2DA9E5C567F1C0E022E1CE3F58118112D90D9
      session_id (len=32): B227272E2418DA572476BEE7D4142C8F885CDF9D56C4D7CCAA6810763B9AFBCF
      cipher_suite {0x13, 0x02} TLS_AES_256_GCM_SHA384
      compression_method: No Compression (0x00)
      extensions, length = 143
        extension_type=supported_versions(43), length=2
            TLS 1.3 (772)
        extension_type=key_share(51), length=133
            NamedGroup: brainpoolP512r1 (28)
            key_exchange:  (len=129): 0451A1A98C919A8DF27DFF6AD3496CAA12ADB49FDD942E6F0DB017D861A2F608CAB9E108D462B7CF5F8AB8D8CF46C1FA4E2A9B012E38A30656D607801DB38278E997189E799AEAACEA2284D47C9B385A0ACD49722DFACD71AA31AB2511382FAA1ED7C9A16E0504E506646F84DB65168623C598725A9653CBBA6DE4A5F6979391B3

but this time it is accepted by the client and the TLS1.3 protocol is negotiated,
as can be seen by the output of the client:

Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: BFA392E473E2EBC2E12370CCD1E3911184E7D6D7EB632DC5B231B1E2FD719B33
    Session-ID-ctx: 
    Resumption PSK: 79C87F47D145F7B1A9DF09FC810CFB9BBDA8DE5E4C263159A08F83E04AFFF77C62A5D602D0BFFFC74A4F0A198D1CCA44
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - cf 45 53 3e a3 3e 1c d5-a4 fe be 70 00 e9 27 cb   .ES>.>.....p..'.
    0010 - 07 a5 6d 37 38 1f e2 d2-fd b1 f6 e9 dd 83 ed 97   ..m78...........
    0020 - 18 d9 2f e9 c2 2c 5e 51-36 a9 ac f9 e0 07 c2 2c   ../..,^Q6......,
    0030 - 36 4e 20 6f 83 1f 52 28-5f 44 97 c2 20 9e 01 8d   6N o..R(_D.. ...
    0040 - 2f 26 0f 5f b9 b8 db ed-87 5c ff 74 da 8b 43 e2   /&._.....\.t..C.
    0050 - 1f b7 8a 4e c0 74 2d d7-a6 5f 36 f5 c0 2f 2d 24   ...N.t-.._6../-$
    0060 - a5 13 33 58 b1 8f 0c 44-14 3d 45 60 0b f8 66 c6   ..3X...D.=E`..f.
    0070 - 4a 72 7b eb 6f 24 d2 79-31 65 2b e6 f1 70 c9 bf   Jr{.o$.y1e+..p..
    0080 - 45 66 c1 28 f4 a4 bd 66-e8 d6 e7 85 53 d7 8c 12   Ef.(...f....S...
    0090 - 72 af e5 05 3f 09 d9 f9-8e fa 0a 42 ec 4a 9d 97   r...?......B.J..
    00a0 - e1 f5 22 d9 9b 38 86 c3-5d 5f 08 a2 3c e3 42 02   .."..8..]_..<.B.
    00b0 - 7d 34 b5 8b 3d 0a 00 04-9b f4 79 b0 43 93 b0 ef   }4..=.....y.C...

    Start Time: 1686311225
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

lan1120 · 2023-06-10T02:23:11Z

Another scenario

Server Configuration：
OpenSSL version: master #21163
groups_list："brainpoolP512r1:X25519"
tls_version: no limit

Client Configuration：
OpenSSL version: 1.1.1n
groups_list："brainpoolP512r1"
tls_version: no limit

Server error log:
0A000065:SSL routines:final_key_share:no suitable key share

OpenSSL 3.X，brainpoolP512r1 is not allowed on TLS 1.3，in the above scenario，Can I expect TLS 1.2 to be negotiated?

bernd-edlinger · 2023-06-10T08:29:36Z

Yeah, I see what you mean.
But in this case one could argue that the client has an invalid configuration since
the admin should know that there is no suitable group for tls 1.3.
But this is a correct configuration where a connection with tls1.2 should be negotiated:
./openssl s_server -groups secp224r1:X448
./openssl s_client -groups secp224r1:X25519
both sides are built from master with #21163 applied

t8m · 2023-06-10T10:55:03Z

Version negotiation and group negotiation are separate logical steps. Although in theory we could fallback to tls-1.2 in case both sides support both tls-1.3 and tls-1.2 but do not have intersecting group for tls-1.3, it would not be a good idea to do so. We had similar requests before and they were rejected.

If the client sends us a group in a key_share that is in our supported_groups list but is otherwise not suitable (e.g. not compatible with TLSv1.3) we reject it. We should not ask for that same group again in a subsequent HRR. Fixes #21157 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from #21163) (cherry picked from commit 7a949ae)

lan1120 added the issue: bug report The issue was opened to report a bug label Jun 8, 2023

mattcaswell added triaged: bug The issue/pr is/fixes a bug and removed issue: bug report The issue was opened to report a bug labels Jun 9, 2023

mattcaswell mentioned this issue Jun 9, 2023

Don't ask for an invalid group in an HRR #21163

Closed

openssl-machine closed this as completed in 7a949ae Jun 23, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

TLS 1.3 failed when set the groups_list of server and client to "brainpoolP512r1:X25519" #21157

TLS 1.3 failed when set the groups_list of server and client to "brainpoolP512r1:X25519" #21157

lan1120 commented Jun 8, 2023 •

edited

t8m commented Jun 9, 2023

lan1120 commented Jun 9, 2023

mattcaswell commented Jun 9, 2023

bernd-edlinger commented Jun 9, 2023

bernd-edlinger commented Jun 9, 2023

lan1120 commented Jun 10, 2023 •

edited

bernd-edlinger commented Jun 10, 2023

t8m commented Jun 10, 2023

TLS 1.3 failed when set the groups_list of server and client to "brainpoolP512r1:X25519" #21157

TLS 1.3 failed when set the groups_list of server and client to "brainpoolP512r1:X25519" #21157

Comments

lan1120 commented Jun 8, 2023 • edited

t8m commented Jun 9, 2023

lan1120 commented Jun 9, 2023

mattcaswell commented Jun 9, 2023

bernd-edlinger commented Jun 9, 2023

bernd-edlinger commented Jun 9, 2023

lan1120 commented Jun 10, 2023 • edited

bernd-edlinger commented Jun 10, 2023

t8m commented Jun 10, 2023

lan1120 commented Jun 8, 2023 •

edited

lan1120 commented Jun 10, 2023 •

edited